管理联机安全风险

管理联机安全风险

New York Times; New York, N.Y.; Jun 1, 2000; Hal R. Varian

translator: D.Nescient     2006-11-12    Shanghai

因特网有时被描述为一个“逃出了实验室的实验”。它是在一个网络研究人员都相互认识和信任的没有灾难的环境下发展起来的。但是自1995年从实验室走出来后，它发现自己来到了一个充满了丑恶和敌意的环境里.

最近的安全事故比如几个月前"I love you"病毒以及对大型网站的攻击充分显示了因特网是多么的脆弱。

现代密码学常被作为打造安全的商业计算空间的万能魔药而受到欢迎，但是它只会在人们有效的使用密码的安全特性的情况下发挥作用。

安全研究者开始趋向于关注密码与系统设计的疑难问题。与此相对的是，围绕普通百姓使用电脑、以及避免欺诈和滥用的动机的产生却相对被忽视了。那是需要矫正的。

A.T.M.（自动取款机）就是一个很好的例子。很多的思想被用于这些系统的安全设计，并且与之相关的成熟的密码技术被用来抵抗攻击。但是这些设计有多少效用呢？

几年前，剑桥大学的一个安全研究人员Ross Anderson，在调查了英格兰大量的ATM欺诈案例后得到一个结论：几乎所有的事件都与人的错误有关。密码工艺是精巧的；安全问题的产生是由于系统被当地的银行错误的安装，错误的配置和失当的管理。他的论文“为什么密码系统失效”可以在http://www.cl.cam.ac.uk/ftp/users/rja14/wcf.ps.gz . 找到。

为什么地方的银行会如此的草率呢？答案在英格兰对责任分配的方式。在美国，如果客户和银行之间存在争议，那么除非银行能够出示是客户错误的证据，否则客户总是对的。在英国，提供证据的责任恰好相反；除非顾客能够出示是银行错误的证据，否则银行总是对的。让顾客方来证明是银行的过失是几乎不可能的，所以英国的银行几乎没有关注安全的动机。这样导致的草率也就导致了一连串的A.T.M.欺诈。

在美国，银行有投资风险管理技术的动机。比如，地区的银行针对于A.T.M.欺诈安装摄象机并且用安全实践（惯例）对他们的员工进行训练。因此，Mr. Anderson总结说，即使美国的银行在安全上比英国的银行花费更少的钱，他们对安全问题的处理也会更加奏效。

这个例子阐释了责任经济分析中的一条基本原理：责任应该指派给能够尽力做好风险管理工作的一方。对于大多数与A.T.M.相关的风险，银行处于比用户更能管理好风险的地位，所以他们应该承担大部分的责任。但是你又不希望用户逃避因为他们的行为而产生的所有责任，否则他们就可能会变的很随意。合理的平衡应该决定于可能的风险因素对于双方的影响。

让我们回到计算机攻击。现实中的计算机安全如此薄弱的一个原因是责任太不集中。拿发生在几个月前的那次攻击事件来看，计算机破坏者在相对未受保护的大学网络里控制了计算机并且利用它们关闭了雅虎和其他一些大型网站。虽然那些大学觉得控制他们机器的行为非常可恶，但他们没有承担雅虎遭受攻击的巨大损失。如果让这些大学替搞破坏的第三方承担一些责任，那么他们将产生强烈的使他们的网络更加安全的动机。

在为家庭提供高速宽带服务中出现了同样的问题。默认这些网络总是与英特网相连接的，这使得它们很容易被用来在电子空间内发动攻击。如果某个用户的计算机被控制，那么他应该为其他遭受攻击的用户承担损失吗？一般的用户对于如何保护他们的计算机免受攻击根本上是无能的，所以把责任指派给他们将不会有什么效果。如果把责任指派给网络操作人员则更有意义。

一个典型的安全分析包括在一个系统中识别脆弱点并且指出谁将处于解决这些问题的位置。但是安全分析应该更进一步并且分析那些为系统负责的人的动机。这样的一个分析可以用来指派责任，以至于那些为控制风险而被合理安置的人员有做好自己工作的动机。

一旦责任的指派得到解决，负有责任的一方将毫无疑问需要购买保险。乍一看，这似乎反而达不到预期的目的：如果你的责任完全被保险，你为什么还要投资风险的管理呢？实际上这忽略了保险公司的动机：他们唯一需要的是确保应用良好安全实践的客户们的安全，他们会付出所有的努力来指导客户们如何改进他们的英特网安全。


正如一个承保办公建筑的保险公司将给你一个优惠的费率如果你每12英尺就有一个喷洒头，如果你在补丁发布的两周内安装了安全补丁，保险公司站在反对计算机犯罪的立场将给你一个优惠的比率，并为安全人员提供持续的教育和进行其他的优良的风险管理实践。

这就是它应该如何工作的，但是我们还没达到那个程度。很多的保险公司只拥有很少的计算机安全经验，并且不能够判断风险，他们几乎不能在保护方面提供什么方法。随着他们的经验的增长，他们将在一个更好的情况下为他们的客户提供建议。当保险公司开始承保反计算机攻击，公司将全力把事情做好：如果他们提供糟糕的建议，他们将必须支付造成该结果所主张的理赔费。

所以，关于计算机犯罪，什么是应该做的？第一步是把法律责任指派给最能管理好风险的一方。然后,保险公司要能为计算机安全开发专门的风险管理技术并为客户提供这种服务。不幸的是，这将是一个漫长的过程。在此期间，我们能够预见英特网上更多的混乱。


译者注解:
费率:是单位保险金额的保险费，通常被称为购买保险的价格。

附原文:

Managing Online Security Risks

New York Times; New York, N.Y.; Jun 1, 2000; Hal R. Varian

THE Internet has sometimes been described as a "lab experiment that got loose." It was developed in a sheltered environment of network researchers who knew and trusted each other. But after it escaped from the laboratory in 1995, it found itself in a hostile environment full of unsavory characters.

Recent security incidents like the "I love you" virus and the attacks on major Web sites a few months ago have shown how vulnerable the Internet really is.

Modern cryptography is often hailed as the magic elixir that will make cyberspace safe for commerce. But it will only work if people use cryptographic security features effectively.

Security researchers have tended to focus on the hard issues of cryptography and system design. By contrast, the soft issues revolving around the use of computers by ordinary people and the creation of incentives to avoid fraud and abuse have been relatively neglected. That needs to be rectified.

Automated teller machines are a good example. A lot of thought went into the security design of these systems and relatively sophisticated encryption techniques were used to guard against attacks. How effective were these designs?

Several years ago, Ross Anderson, a security researcher at Cambridge University, examined a number of cases of fraud at automated teller machines in Britain and concluded that almost all of the incidents involved human error. The encryption technology was fine; the security problems occurred because the systems were misinstalled, misconfigured and mismanaged by the local banks. The paper, "Why Cryptosystems Fail" can be found at http://www.cl.cam.ac.uk/ftp/users/rja14/wcf.ps.gz .

Why were the local banks so sloppy? The answer lies in the way liability is assigned in Britain. In the United States, if there is a dispute between a customer and a bank, the customer is right unless the bank can show that he is wrong. In Britain, the burden of proof is reversed; the bank is right unless the customer can show it is wrong. Since it is almost impossible for a customer to prove the bank made a mistake, British banks had little incentive to take care. The resulting sloppiness led to a rash of A.T.M. fraud.

In the United States, banks have an incentive to invest in risk management techniques. Banks in areas prone to A.T.M. fraud, for example, have installed cameras and trained their staff in security practices. So, even though American banks spend less on security than do British banks, Mr. Anderson concluded, they deal with it more effectively.

This example illustrates one of the fundamental principles of the economic analysis of liability: it should be assigned to the party that can do the best job of managing risk. For most risks associated with A.T.M.'s the banks are in better position to manage risks than are the users, so they should end up with most of the liability. But you wouldn't want the users to escape all liability for their actions, since they would then tend to be too sloppy. The right balance should depend on the influence that each party has over the possible risk factors.

Which brings us back to computer attacks. One reason that computer security is so poor in practice is that the liability is so diffuse. Consider the attacks that took place a few months ago, in which computer vandals took over computers on relatively unprotected university networks and used them to shut down Yahoo and other major Web sites. Although the universities found the takeover of their machines a nuisance, they didn't bear the bulk of the costs of the attack on Yahoo. But if universities bore some liability for the damages to third parties, they would have a stronger incentive to make their networks more secure.

The same problem arises with providing high-speed broadband service to the home. These networks are, by default, always connected to the Internet, leaving them susceptible to being used to mount an attack in cyberspace. If a particular user's computer is taken over, should he have liability for the cost of the attack on someone else? The average user is essentially clueless about how to prevent his computer from being taken over, so assigning liability to him would be pointless. Assigning liability to the network operator would make more sense.

A typical security analysis involves identifying weak points in a system and indicating who might be in a position to fix them. But security analysts should go one step further and examine the incentives of those responsible for the system. Such an analysis could be used to assign liability so that those who are best positioned to control the risks have appropriate incentives to do so.

Once the liability assignment is straightened out, the parties stuck with the liability will no doubt want to buy insurance. At first glance, it appears that this is counterproductive: if you are perfectly insured against liability, why should you invest in risk management? But this ignores the incentives of the insurers: they only want to insure clients who use good security practices, giving them every incentive to instruct their clients in how to improve their Internet security.

Just as an insurer of an office building will give you a reduced rate if you have sprinklers every 12 feet, an insurer against computer crime will give you a reduced rate if you install security patches within two weeks of their posting, provide continuing education for security staff and engage in other good risk management practices.

This is how it should work, but we are not there yet. Most insurance companies have very little experience with computer security, and being unable to judge the risks, they offer little in the way of protection. As their experience increases, they will be better placed to offer advice to their clients. And when insurance companies do start insuring against computer attacks, the companies will have a great incentive to do it right: if they give bad advice, they will have to pay the resulting insurance claims.

So, what should be done about computer crimes? The first step is to assign legal liability to the parties best able to manage the risk. Insurers can then develop expertise in risk management for computer security and provide such services to their clients. Unfortunately, this will be a long and slow process. In the meantime, we can expect to see many more disruptions on the Internet.